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(57) Abstract 

Security network driver software (72) is inserted between the network 
protocol TCP/IP and the corresponding network driver (40). Security 
measures are performed upon the network packets before the network 
packets are passed to the network protocol TCP/IP (22) from the application 
programming interface (34). A security network driver (72) is used along 
with two encryption/decryption libraries (76, 90) for added data security. 
A network driver (40) and additional hardware (46) are also used in 
communication with the networks (20, 21, 50). 
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DATA ENC RYPTION /DE CRYPTION 
FOR NETWORK COMMUNICATION 
5 Background 

This invention relates to data 
encryption/decryption for network communication. 

Referring to Fig. l, while executing a variety of 
software applications, 10, 12, 14, for example, Telnet 10 
10 or Microsoft*, Inc. Word* 12, computers 16 and 18 may 
exchange data over networks 20, 21, for example, a 
telephone company network, a private network, or a public 
network such as the internet or X.25. The applications 
communicate using network protocols 22, 24, 26, for 
15 example, transmission control protocol/ internet protocol 
(TCP/IP) 22 or internet packet exchange (IPX) 24, through 
application programming interfaces 28, 30, 32. Through 
application programming interfaces 34, 36, 38, the 
network protocols communicate with network drivers 40, 
20 42, 44 to direct network interface hardware 46, 48 to 
transfer data over the networks. 

While on a network, data being transmitted, 
including the addresses of the source and destination 
computers 16, 18, is accessible to others who may be 
25 monitoring the network* For security, the data is often 
encrypted before being sent on the network. 

Referring also to Fig. 2, for additional security, 
firewall computers 16, 18, which have direct access to a 
network 20 may be used to prevent unauthorized access to 
30 internal/private networks 50, 52. For example, when an 
internal network driver 53 within firewall computer 16 
receives data from an internal computer 54 that is 
destined for a computer 56 on a public network, it 
encrypts the data and the addresses of source computer 54 
35 and destination computer 56. Computer 16 then prepends 
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to the encrypted data a new IP header including its own 
address as well as the address of a destination computer, 
which may also be a firewall computer, e.g., computer 18. 

When a firewall computer receives a network packet 
5 from the network, it determines whether the transmission 
is authorized. If so, the computer examines the header 
within the packet to determine what encryption algorithm 
was used to encrypt the packet. Using this algorithm and 
a secret key, the computer decrypts the data and 

10 addresses of the source and destination computers 54, 56 
and sends the data to the destination computer. If both 
the source and destination computers are firewall 
computers, the only addresses visible (i.e., unencrypted) 
on the network are those of the firewall computers. The 

15 addresses of computers on the internal networks, and, 
hence, the internal network topology, are hidden. This 
has been termed "virtual private networking" (VPN) . 

Encrypting/decrypting data has been performed by 
complex security software within applications or, to 

20 simplify the applications, encrypting/decrypting has been 
performed within the protocol stack of network protocols. 

Rnirnnary 

In general, in one aspect, the invention features 
a method for processing network packets communicated on a 

25 network. Network packets are passed between a network 
protocol and a network driver via an application 
programming interface, and security measures are 
performed on the network packets before the network 
packets are passed to the network protocol from the 

3 0 application programming interface. 

Implementations of the invention may include one 
or more of the following features. The security measures 
may be performed on the network packets before the 
network packets are passed to the network driver from the 
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application programming interface. The security measures 
may be performed by a security network driver. The 
application programming interface may pass network 
packets to the security network driver and, after 
5 performing the security measures, the security network 
driver may pass the network packets back to the 
application programming interface. The network may be a 
public network. The security measures may include 
encapsulating the network packets before the network 

10 packets are transferred to the network, decapsulating the 
network packets after the network packets are received 
from the network, encrypting the network packets before 
the network packets are transferred to the network, and 
decrypting the network packets after the network packets 

15 are received from the network. The security measures may 
be selectable, and may be selectable through libraries. 
The libraries may include an encapsulation/decapsulation 
library and an encryption/decryption library. The method 
may also include, before passing network packets between 

20 the network protocol and the network driver via the 

application programming interface, passing the network 
packets between an application and the network protocol 
or between an internal network driver and the network 
protocol. 

25 In general, in another aspect, the invention 

features a method for processing network packets 
communicated on a network. The network packets are 
passed from a network protocol to an application 
programming interface, and then from the application 

30 programming interface to a security network driver. 

Security measures are performed on the network packets 
which are then passed back from the security network 
driver to the application programming interface. The 
network packets are then sent to a network driver which 

35 sends the network packets over the network. 
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Implementations of the invention may include one 
or more of the following features. Before passing 
network packets from the network protocol to the 
application programming interface, the network packets 
5 are passed from an application or an internal network 
driver to the network protocol. The method may also 
include receiving network packets over the network, 
passing the network packets from the network driver to 
the application programming interface, passing the 

10 network packets from the application programming 

interface to the security network driver, performing 
security measures on the network packets, passing the 
network packets from the security network driver back to 
the application programming interface, and passing the 

15 network packets from the application programming 
interface to the network protocol. The method may 
further include passing the network packets from the 
network protocol to an application or an internal network 
driver. 

20 In general, in another aspect, the invention 

features a method for use with a network protocol 
application programming interface. Network packets are 
passed to a security network driver from the application 
programming interface and security measures are performed 

25 on the network packets. The secure network packets are 
then passed back to the application programming 
interface . 

Implementations of the invention may include one 
or more of the following features. Network packets may 

3 0 be passed between a network protocol and the application 
programming interface, and network packets may be passed 
between a network driver and the application programming 
interface. Before passing network packets to the 
security network driver, the method may include altering 

3 5 a road map to allow network packets to be passed between 
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the application programming interface and the security 
network driver. The network may be a public network. 

In general, in another aspect, the invention 
features a network packet processor including a network 
5 protocol and an application programming interface coupled 
with the network protocol and configured to pass network 
packets with the network protocol. The network packet 
processor also includes a security network driver coupled 
with the application programming interface which is 

10 configured to pass the network packets with the 

application programming interface and perform security 
measures on the network packets. A network driver 
coupled with the application programming interface is 
configured to pass the network packets with the 

15 application programming interface. 

Implementations of the invention may include one 
or more of the following features. The network packet 
processor may also include an application coupled with 
the network protocol and configured to pass the network 

20 packets with the network protocol, and an internal 
network driver coupled with the network protocol and 
configured to pass the network packets with the network 
protocol. 

Advantages of the invention may include one or 
25 more of the following. Providing a separate security 
network driver for encrypting /decrypting and 
encapsulating/decapsulating data and addresses simplifies 
the applications and network protocols. Newly developed 
security features may be implemented by modifying only 
3 0 the security network driver, instead of the complex 
security software in each application or the protocol 
stacks of each network protocol. In addition, because 
the security network driver provides the user with those 
security features required by the user, users are not 
3 5 limited to those applications and protocols that 
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implement the necessary security features, and any 
application or protocol may be used without modification. 
Further, the security network driver may access any 
available encryption/ decryption library and 
5 encapsulation/decapsulation library. Because the 

applications and protocols do not access these libraries, 
the user's choice of applications and protocols is not 
limited by the available libraries. 



10 from the following description and from the claims. 

Description 
Fig. 1 is a block diagram of two computers 
connected together through two networks. 



Fig. 10 is a flow chart of tunnel record 
generation. 

Fig. 11 is a flow chart of tunnel record updating. 
As seen in Fig. 3, security network driver 
30 software 72 is inserted between network protocol TCP/IP 
22 and corresponding network driver 40. The security 
network driver encrypts information before it is sent on 
the network by the network driver and decrypts 
information received from the network by the network 
35 driver before the information is sent to the network 



Other advantages and features will become apparent 



20 



25 



15 



Fig. 2 is a block diagram of two firewall 
computers and networks. 

Fig. 3 is a block diagram of a computer including 
a security network driver. 

Fig. 4 is a flow chart of encapsulation and 
encryption. 

Figs. 5 and 6 are block diagrams of network 
packets . 

Fig. 7 is a flow chart of decryption and 
decapsulation . 

Fig. 8 is a block diagram of virtual tunnels. 
Fig. 9 is a block diagram of a computer network. 
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protocol. As a result, after choosing a security network 
driver with the required security features, users may 
freely choose among available applications and network 
protocols regardless of the required level of security 
5 and regardless of the available encrypt ion /decrypt ion 

libraries and without having to compromise their security 
needs. Moreover, the chosen applications and network 
protocols need not be modified. To change the level of 
security, the user may simply chose another security 
10 network driver or modify the current security network 
driver. 

Generally, a computer's operating system software 
defines a "road map" indicating which applications may 
communicate with each other. To insert a security 

15 network driver between a network protocol and a network 
driver, the road map is altered. The vendor of the 
operating system software may make the road map available 
or the road map may be determined through observation and 
testing. Once the road map is altered, functions such as 

20 send and receive, between the network protocol and the 
network driver are diverted to the network security 
driver to encrypt data before it is sent on the network 
and to decrypt data when it is received from the network. 

Referring to Figs. 3 and 4, as an example, to send 

25 data from computer 16 to computer 18 on the internet, 
Telnet 10 issues (step 60) a send call to TCP/IP 22 
through network protocol API 28. The send call includes 
a network packet 62 (Fig. 5) having a header 64 and data 
66. The header includes information such as the 

3 0 addresses of the source and destination computers and the 
type of application that sent the data. The network 
protocol then issues (step 68) a send call to the network 
driver API which, in accordance with the altered road 
map, issues (step 70) a send call to a security network 

3 5 driver (SND) 72. 
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The security network driver issues (step 74) an 
encapsulate call to an encapsulate/decapsulate library 76 
through an API 77. In one example, the 
encapsulate/decapsulate library uses the swIPe IP 
5 Security Protocol created by J. Ioannidis of Columbia 

University and M. Blaze of AT&T* , Inc. which is described 
in an Internet Draft dated December 3, 1993 and 
incorporated by reference. Referring also to Pig. 6, the 
encapsulate call generates a new network packet 78 in 

10 accordance with the swIPe protocol. The new packet 
includes a header 80, a swIPe protocol header 82, and 
data 84. According to options within the swIPe protocol, 
header 80 may be the original header 64 (Fig. 5) , in 
which case, data 84 is the original data 66, or header 80 

15 may be a new header including the address of a source 
firewall computer, e.g., computer 16 (Fig. 2), and a 
destination computer which may also be a firewall 
computer, e.g., 18. Where header 80 is a new header, 
data 84 includes the entire original network packet 62 

20 (Fig. 5) . 

After encapsulating the network packet, the 
security network driver issues (step 88, Fig. 4) an 
encryption call to an encryption/decryption library 90 
(Fig. 3) through an API 91. Library 90 encrypts a 

25 portion 92 of the encapsulated network packet including 
data 84 and part of swIPe protocol header 82. Header 80 
(Fig. 6) is not encrypted. Thus, if, according to 
options within the swIPe protocol, header 80 is the 
original header 64 (Fig. 5), then the addresses of the 

30 source and destination computers are visible on the 
internet. On the other hand, if header 80 is a new 
header including the addresses of firewall computers, 
then the addresses of internal source and destination 
computers are encrypted and not visible on the internet. 
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Library 90 may be of the type sold by RSA Data 
Security™, Inc. of Redwood City, California and may 
encrypt the data according to an RSA algorithm such as 
RC2 or RC4 or according to a federal information 
5 processing standard (FIPS) such as data encryption 
standard (DES) • 

The security network driver then issues (step 94) 
a send call, including the encapsulated/ encrypted network 
packet, to the API, and the API, in accordance with the 
10 altered road map, issues (step 96) a send call to a 
network driver, e.g. , network driver 40. The network 
driver then causes hardware 46 to transmit (step 98) the 
encapsulated/ encrypted network packet on the network. 

Referring to Figs. 3 and 7, the network drivers of 
15 each computer 16, 18 (Figs. 2 and 3) maintain a database 
of addresses to which they will respond. For example, 
when network driver 40 receives (step 100) a properly 
addressed network packet from network 20, the network 
driver issues (step 102) a receive call to corresponding 

2 0 network protocol API 34. In accordance with the altered 

road map, the API issues (step 104) a receive call to 
security network driver (SND) 72 which issues (step 106) 
an authorization call to encapsulate /decapsulate library 
76 through API 77. Library 76 examines the unencrypted 
25 portion of swIPe header 82 (Fig. 6) to determine (step 

108) whether it is proper. If it is not proper, an error 
(step 110) is flagged. 

If the header 82 is not a swIPe header, then the 
security network driver issues a receive call to the API 

3 0 including the unaltered packet. 

If the swIPe header is proper, the security 
network driver issues (step 112) a decryption call to 
encrypt ion /decrypt ion library 90 through API 91. A 
portion of the unencrypted swIPe protocol header includes 
3 5 a policy identification (id) field 113. The policy id 
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field indicates the encryption algorithm used to encrypt 
the data. Library 90 uses a secret key that was 
previously exchanged between the computers and the 
encryption algorithm to decrypt data 84. 
5 After decryption, the security network driver 

issues (step 114, Fig. 7) a digital signature check call 
to encapsulate/decapsulate library 76. The swIPe 
protocol header includes a digital signature 86. The 
digital signature is a unique number calculated using the 

10 data in the network packet, the secret key, and a digital 
signature algorithm. Library 76 recalculates the digital 
signature and compares (step 116) it to digital signature 
86 in the network packet. If the network packet is 
tampered with during transmission and any data within the 

15 packet is changed, then the digital signature in the 

packet will not match the digital signature generated by 
the receiving computer and an error (step 118) will be 
flagged. 

If the signatures match, then the security network 

20 driver issues (step 120) a receive call to the API which 
issues (step 121) a receive call to the TCP/IP network 
protocol including only the original network packet 62 
(Fig. 5, data 66 and addresses of the source and 
destination computers 64). If (step 122) the network 

25 packet is destined for computer 16, then TCP/IP issues 

(step 124) a receive call to an application 10, 12 and if 
the network packet is destined for a computer on an 
internal network, e.g., computer 54 (Fig. 2) on network 
50, then TCP/IP issues (step 126) a receive call to 

30 internal network driver 53 which then sends (step 128) 
the data to the internal computer. 

Referring to Fig. 8, the policy id field may be 
used to create virtual tunnels 140, 142 between firewall 
computers 146, 148 on internet 152. When computer 146 

3 5 receives a network packet, it checks the policy id to 
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determine which "tunnel" the packet came through. The 
tunnel indicates the type of encryption algorithm used to 
encrypt the packet* 

Multiple tunnels 140 , 142 may connect two 
5 computers 146 f 148 and each tunnel may use a different 
encryption algorithm. For example, tunnel 140 may use 
the RC2 encryption algorithm from RSA Data Security* , 
Inc. while tunnel 142 uses the FIPS DES encryption 
algorithm. Because the RC2 encryption algorithm is less 

10 secure and requires less computer processing time than 
the FIPS DES standard, users may send a larger number of 
network packets requiring less security over tunnel 140 
as opposed to tunnel 142. Similarly, predetermined 
groups of users or computers may be restricted to sending 

15 their packets over particular tunnels (effectively 
attaching a packet filter to each tunnel) . 

The tunnel may also indicate where the packet is 
to be sent. Primary firewall computers 16, 18 store 
information about the internal path of each tunnel in a 

20 tunnel database. When computer 146 receives a packet 

whose policy id indicates that the packet came through a 
tunnel that ends at computer 146, e.g., tunnel 142, 
computer 146 decapsulates and decrypts the packet and 
sends the decrypted packet over internal network 154 to 

25 the proper destination computer in accordance with the 
decrypted destination address. When computer 146 
receives a packet whose policy id indicates that it came 
through a tunnel that does not end with computer 146, 
e.g., tunnel 140, computer 146 does not decapsulate and 

3 0 decrypt the packet. Instead, computer 146 sends the 
encrypted packet to internal firewall computer 158 in 
accordance with the tunnel database. 

Internal firewall computer 158 also has a tunnel 
database in which the internal path of any tunnels 

35 connected to computer 158 are stored. As a result, when 
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computer 158 receives a packet: whose policy id indicates 
that it came through a tunnel that ends with computer 
158, e.g., tunnel 140, it decapsulates and decrypts the 
packet according to the policy id and sends the decrypted 
5 packet over internal network 160 to computer 162 in 
accordance with the decrypted destination address. 

The only addresses visible on the internet and on 
internal network 154 are the addresses of the firewall 
computers 146, 148, and 158. The address of internal 

10 computer 162 and, hence, the network topology of network 
160 are protected on both the internet and internal 
network 154. 

The tunnel databases provide the firewall 
computers 146, 148, and 158 with information as to the 

15 internal path of the tunnels. Thus, if computer 162 was 
another firewall computer, computer 146 may modify the 
destination address of packets received on tunnel 140 to 
be the address of computer 162 to cause computer 158 to 
send the packet directly to computer 162 without checking 

20 the policy id field. 

Encapsulating/ decapsulating and 
encrypting/ decrypting network packets may require a large 
portion of a computer's processing power. Creating 
virtual tunnels using the policy id field allows the 

25 encapsulating /decapsulating and encrypting /decrypting of 
network packets to be spread across several computers. 
For example, computer 146 may decapsulate and decrypt 
network packets destined for computers connected to 
internal network 154 while computer 158 may decapsulate 

30 and decrypt network packets destined for computers 

connected to internal networks 154 and 160. Similarly, 
computer 14 6 may encapsulate and encrypt network packets 
sent from computers connected to internal network 154 
while computer 158 may encapsulate and encrypt network 
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packets sent from computers connected to internal 
networks 154 and 160. 

The Kerberos Key Distribution Center components of 
Kerberos Network Authentication System created under 
5 project Athena at Massachusetts Institute of Technology, 
defines one method of providing computers with secret 
keys. Referring to Fig. 9, computer 130 is termed the 
"trusted" computer, and before computers 13 2 and 134 may 
transfer encrypted data to each other over network 136, 

10 both computers send a request to trusted computer 130 for 
a secret key. For a more detailed description of the 
Kerberos Key Distribution Center, see RFC1510 (request 
for comment) "Kerberos Network Authentication Service" by 
J. Kohl & B. Neuman, September 10, 1993, which is 

15 incorporated by reference. 

Referring back to Fig. 2, to transfer secure 
(i.e., encapsulated and/or encrypted) network packets 
between two computers, operators of the two computers may 
verbally exchange a secret key for each tunnel between 

20 the computers and then manually initialize the computers 
to transfer data by generating a tunnel record including 
a secret key for each tunnel between the two computers. 
Firewall computers are typically managed by skilled 
technicians capable of generating tunnel records . 

25 Typical users have non-firewall computers and may wish to 
transfer encapsulated/ encrypted data with a firewall 
computer. To avoid requiring that a typical user 
generate tunnel records and instead of having a separate 
trusted computer provide secret keys to two computers, a 

30 firewall computer 16, 18 may provide secret keys to other 
computers • 

Referring also to Fig. 10, when a user wishes to 
transfer packets between his/her computer and a firewall 
computer, the user requests (step 170) a password (a one- 
3 5 time pad) from the firewall operator. The operator then 
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generates (step 172) tunnel records for each tunnel over 
which the user's computer and the firewall computer may 
transfer network packets. The operator also stores (step 
174) the password given to the user on the firewall 
5 computer. The user installs (step 176) the security 
network driver (SND) software on his/her computer and 
runs (step 178) a configuration program. The 
configuration program prompts (step 180) the user for the 
password and sends (step 182) a configuration request to 

10 the firewall computer. 

The firewall computer identifies (step 184) the 
user's computer as the sender of the request and notifies 
the user's computer of the available tunnels by sending 
(step 186) the complete tunnel records, including secret 

15 keys, associated with each tunnel to the user's computer. 
The tunnel records are sent through network packets that 
are encrypted using the password and the encryption 
algorithm. Afterwards, the firewall deletes (step 188) 
the password, and further network packets are transmitted 

20 between the two computers through the available tunnels 
and encrypted according to the secret key associated with 
each tunnel* 

Referring to Fig. 11, generally, each time the 
user's computer accesses (step 190) the internet, a new 

25 internet address is assigned. The firewall computer 
needs to know the new address in order to update the 
tunnel records. To notify the firewall computer of the 
new internet address, each time the user's computer 
accesses the internet, the configuration software issues 

30 (step 192) a connect request to the firewall computer. 
The firewall computer identifies (step 194) the computer 
and may prompt the user for a user name and a user 
password. If the user name and password are authorized 
(step 196) , the firewall updates (step 198) the tunnel 

35 records with the internet address sent as part of the 
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connect request.. The configuration software also updates 
(step 200) the non-firewall computer's tunnel records 
with the computer's new internet address . 

Other embodiments are within the scope of the 
5 following claims. 

For example , instead of encapsulating the network 
packets using the swIPe protocol header, other internet 
security algorithms may be used. 

Although the security network driver was described 
10 with respect to send and receive functions, APIs from 
different manuf acturers, for example, Sun™, Inc. and 
Microsoft 1 " , Inc., include a variety functions, and the 
security network driver is designed to respond to each 
possible function. 
15 The security network driver may also be 

simultaneously connected to multiple network protocols, 
e.g., both TCP/IP 22 and IPX 24, as shown in Fig. 3. 
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What is claimed is: 

1. A method for processing network packets 
communicated on a network, comprising: 

passing network packets between a network protocol 
5 and a network driver via an application programming 
interface; and 

performing security measures on the network 
packets before the network packets are passed to the 
network protocol from the application programming 
10 interface. 

2. The method of claim 1, further comprising: 
performing security measures on the network 

packets before the network packets are passed to the 
network driver from the application programming 
15 interface • 

3. The method of claim 1, wherein the security 
measures are performed by a security network driver. 

4. The method of claim 3, wherein the application 
programming interface passes network packets to the 

20 security network driver and, after performing the 

security measures, the security network driver passes the 
network packets back to the application programming 
interface. 

5. The method of claim 1, wherein the network 
25 comprising a public network. 

6. The method of claim 1, wherein the security 
measures include: 

encapsulating the network packets before the 
network packets are transferred to the network. 
30 7. The method of claim 1, wherein the security 

measures include: 

decapsulating the network packets after the 
network packets are received from the network. 

8. The method of claim 1, wherein the security 
35 measures include: 
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encrypting the network packets before the network 
packets are transferred to the network. 

9. The method of claim 1, wherein the security 
measures include: 

5 decrypting the network packets after the network 

packets are received from the network. 

10. The method of claim 1, wherein the security 
measures are selectable. 

11. The method of claim 10, wherein the security 
10 measures are selectable through libraries. 

12. The method of claim 11, wherein the libraries 
include an encapsulation/decapsulation library. 

13. The method of claim 11, wherein the libraries 
include an encryption/decryption library. 

15 14. The method of claim 1, further comprising, 

before passing network packets between the network 
protocol and the network driver via the application 
programming interface: 

passing the network packets between an application 

20 and the network protocol. 

15. The method of claim 1, further comprising, 
before passing network packets between the network 
protocol and the network driver via the application 
programming interface: 

25 passing network packets between an internal 

network driver and the network protocol. 

16. A method for processing network packets 
communicated on a network, comprising: 

passing the network packets from a network 
3 0 protocol to an application programming interface; 

passing the network packets from the application 
programming interface to a security network driver; 

performing security measures on the network 
packets ; 
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passing the network packets from the security 
network driver back to the application programming 
interface; 

passing the network packets to a network driver; 

5 and 

sending the network packets over the network. 

17. The method of claim 16, further comprising, 
before passing network packets from the network protocol 
to the application programming interface: 

10 passing network packets from an application or an 

internal network driver to the network protocol. 

18. The method of claim 16, further comprising: 
receiving network packets over the network; 
passing the network packets from the network 

15 driver to the application programming interface; 

passing the network packets from the application 
programming interface to the security network driver; 

performing security measures on the network 
packets ; 

20 passing the network packets from the security 

network driver back to the application programming 
inter f ace ; and 

passing the network packets from the application 
programming interface to the network protocol. 
25 19. The method of claim 18, further comprising: 

passing the network packets from the network 
protocol to an application or an internal network driver. 

20. A method for use with a network protocol 
application programming interface, comprising: 
3 0 passing network packets to a security network 

driver from the application programming interface; 

performing security measures on the network 
packets ; and 

passing the secure network packets back to the 
3 5 application programming interface. 
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21. The method of claim 20, further comprising: 
passing network packets between a network protocol 

and the application programming interface, 

22. The method of claim 20 , further comprising: 
passing network packets between a network driver 

and the application programming interface. 

23. The method of claim 20, further comprising, 
before passing network packets to the security network 
driver : 

altering a roadmap to allow network packets to be 
passed between the application programming interface and 
the security network driver. 

24. The method of claim 20, wherein the network fc 
comprises a public network. 

15 25. A network packet processor, comprising: 

a network protocol; 

an application programming interface coupled with 
the network protocol and conf igured to pass network 
packets with the network protocol; 
20 a security network driver coupled with the 

application programming interface and configured to pass 
the network packets with the application programming 
interface and perform security measures on the network 
packets ; and 

25 a network driver coupled with the application 

programming interface and configured to pass the network 
packets with the application programming interface. 

26. The network packet processor of claim 25, 
further comprising: 

30 an application coupled with the network protocol 

and configured to pass the network packets with the 
network protocol. 

27. The network packet processor of claim 25, 
further comprising: 
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an internal network driver coupled with the 
network protocol and configured to pass the network 
packets with the network protocol. 
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